VMware NSX mashes up Nicira and homegrown network virt

Having let go of its aspirations to be a player higher up in the systems stack – now that application frameworks, caching software, and other elements of the business have been shuffled off to the new Pivotal group established by parent EMC – VMware is doubling down in the virtualization business, and its top brass were banging the software-defined data center (SDDC) drum pretty loudly down at its analyst meeting on Wall Street this morning. They also talked a bit about what VMware is going to do with network virtualizer Nicira, which it bought last summer for a whopping $1.26bn.

You wouldn't normally expect a lot of news to come out a briefing with financial analysts, but EMC and VMware like to keep everyone on their toes. More importantly, VMware has been under the gun in recent months, after admitting back in December that its products are a bit jumbled up, and then in January that it needed to layoff about 7 per cent of the VMware workforce to make its profit targets.

And so, EMC and its virtualization minion decided to make a bit of news while at the same time getting Wall Street excited about VMware's and EMC's respective revenue and profit streams over the next few years.

First, as El Reg previously reported, VMware announced that it is building its own public cloud, called the vCloud Hybrid Cloud service. (Yes, that is two clouds in the name when Hybrid vCloud, or better still vCloud Public, would do.)

The VMware public cloud will roll out in the middle of this year and has been in beta testing for the past year, and is widely believed to have been developed under an effort called Project Zephyr.

The details on the vCloud Hybrid Cloud service are a bit scarce, but VMware is going to let the same 55,000 reseller channel partners who peddle VMware software licenses today push capacity on this cloud, which will be based on VMware's ESXi hypervisor and its many vCloud Suite extensions.

And, explained VMware CEO Pat Gelsinger, the same intellectual property that the company created to run its own public cloud will be made available to the 220 service provider partners who have already built clouds to support ESXi virtual machines.

How useful this will be to any of them remains to be seen, but given that they already have cloudy infrastructure and have most likely tweaked their internal control freak programs to run ESXi inside their own tools, this seems of dubious value to companies like Verizon Terremark, Savvis, and NaviSite, which no doubt have more experience running clouds than VMware will have for many years to come.

The other big news on the VMware front was something called VMware NSX, which is a mash-up of the homegrown virtual switching components of its ESXi hypervisor, known collectively as vCloud Network and Security (VCNS), and the vSwitch and OpenFlow controller it got through the Nicira deal.

The homegrown virtual switching and security software is really part of the hypervisor, no matter how VMware has pitched it as something separate. This is all golden screwdriver stuff, with the screwdriver activating or deactivating virtual switches and virtual firewalls as you pay for these features inside of ESXi.

Both Nicira and VMware had a mix of open and closed software in their stacks, and there is no reason to believe that the combined NSX product is going to be entirely open source, even if it does hook into open source controllers like OpenStack.

Block diagram of the NSX virtual networking stack from VMware

Back when the Nicira deal was done in July 2012, the virtual networker was still in stealth mode, but its Open vSwitch virtual switch was already integrated both with the Linux kernel and with the KVM and XenServer hypervisors, thanks to work done by Red Hat and Citrix Systems, respectively.

Open vSwitch was in the process of being integrated with Microsoft's Hyper-V hypervisor, but the virtual switch could not plug directly into VMware's ESXi hypervisor (as its native homegrown switch does), even though you could package Open vSwitch up as an ESXi appliance if you wanted to use it in conjunction with ESXi. You had to talk to it as if it was separate.

Bogomil Balkansky, senior vice president of product marketing for virtualization and cloud platforms at VMware, agreed with El Reg at the time that the simplest integration for VMware to do, conceptually, was to get Open vSwitch running natively and plugging in directly with ESXi.

Balkansky also hinted that VMware would be taking some of the vShield security software that is part of that VCNS homegrown code, which does security for VMs that are reaching up into Layers 4 through 7 in the network stack, and moving it out of the hypervisor and into the NVP OpenFlow controller.

Raghu Raghuram, executive vice president of cloud infrastructure and management at VMware, kept it at a high level for Wall Street. "The new edge of the network is virtual, and it terminates in the hypervisor, and that is pretty good for us," he explained. "We see server administration and network administration coming together over time."

Them's fighting words in a lot of data centers in the world, but convergence is a reality as much as virtualization is, and IT shops are going to have to cope.

As it turns out, NSX is a bit more ambitious than VMware was hinting, and has the goal of creating a completely virtualized networking layer, much as ESXi does a complete job of virtualizing processors and memory – and for the most part, I/O – inside physical servers. Hatem Naguib, vice president of networking and security at VMware, explained it pretty well in a blog post.

The NSX controller is presumably based on the NVP Controller that Nicira cooked up and most certainly did not open source. This is the bit of the OpenFlow setup that runs the control plane that would normally be embedded in physical switches, but has been sucked out of all of the devices and stored centrally in the controller.

This controller is just an x86 box running the Nicira (now VMware) code, and it basically has snapshots of all of the routing and forwarding tables in each switch, which you can change in the controller as necessary and then push out to the physical switches. This is all done programmatically, like starting up and shutting down VMs is done through APIs in ESXi and its vCenter Server control freak on the server-virtualization side.

The NSX controller will support any hypervisor, and will plug into VMware's vCloud cloud controller as well as the OpenStack cloud controller, which Nicira was favoring. And Open vSwitch will be sucked into the ESXi hypervisor, making it a peer with Hyper-V, KVM, and Xen.

Presumably, VMware will continue to support the Nexus 1000V virtual switch from Cisco Systems for those customers who want it, and its own vSwitch virtual switch for those who want to stick with it, but the company did not say.

Raghuram said that the VCNS approach it had been using was "just a virtual patch cable" between server virtual machines and physical switches, and that the NVS vSwitch (the "Open" part seems to have disappeared from the name) would start doing good things with the packets as they flit around between VMs.

Each hypervisor in the NSX setup will have a vSwitch with a programmable Layer 2 through 4 data plane, and the NSX controller would dynamically program IP encapsulation tunnels using its own VXLAN or the Stateless Transport Tunneling (STT) protocols; the NVGRE protocol favored by Microsoft was not discussed.

VXLAN and NVGRE are Layer 2 overlays on Layer 3 networks that, in effect, allow a virtual machine to hop out of a data center and over a router as if it were just hopping from one server rack to another through a top-of-rack switch. This sounds simple enough, but it is tricky. STT makes use of TCP segmentation offload features in network interface cards to create a quick and dirty IP tunnel between hypervisors, but it only works if you have the same NICs everywhere. VXLAN and NVGRE are supposed to be multi-vendor protocols, and they will likely become that and, if the industry has any sense, converge into a common standard.

The NSX controller that VMware has cooked up from its VCNS and Nicira raw ingredients will also be able to hook into logical or physical routers, firewalls, load balancers, virtual private network controllers, security appliances, and network monitors. The NSX controller is implemented as a cluster for both scalability and high availability reasons, and has an external management console called – you guessed it – NSX Manager.

This architecture will allow VMware to do what it has with the ESXi hypervisor and its vCenter Server console over the years. As other OpenFlow controllers flood the market, VMware will be able to cut the price on the NSX controller or give it away for free – or even perhaps open source it – while keeping the management console that allows you to get at the features to be a priced component.

The NSX virtual networking stack will launch in the second half of this year. ®